Another day, another Chinese hack: 4.5M medical records reportedly accessed at national hospital operator

By Michael Carney , written on August 18, 2014

From The News Desk

In the latest evidence that corporate and consumer data are constantly under attack, Nashville-based Community Health Systems revealed in August 18 filing with the SEC that 4.5 million patient records were accessed by hackers.

The hospital operator points the finger at "Chinese hackers," and describes the attack vector as "highly sophisticated malware." The hack reportedly took place between April and June. The company writes:

The attacker was able to bypass the Company's security measures and successfully copy and transfer certain data outside the Company.
Community Health Systems contracted computer security firm Mandiant following the breach and has cooperated with federal investigators in uncovering and analyzing the attack. The company was contracted with FireEye at the time of the attack.

The outside investigators described the breach as dealing with "non-medical patient identification data," adding that no financial data was stolen. The data, which includes patient names, addresses, birth dates, telephone numbers, and Social Security numbers, was, however, protected under the Health Insurance Portability and Accountability Act (HIPPA).

It would be rare if such a coordinated attack on a major corporation didn't access either consumer financial data or some form of corporate IP, like medical device and equipment development data – there is no word at this point on the latter. Notably, the FBI previously warned the healthcare sector in April that its standard of cybersecurity was inadequate compared to other high-value industries.

The company reports that it has "completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type." In news that will please its shareholders but not those affected by this attack, the company adds that it's insured against losses such as this and does not expect the incident to materially affect its financial results. Phew.

Community Health Systems joins a long list of large companies suffering from major cybersecurity breaches. Among them, Target, Sony, Global Payment Systems, eBay, Visa, Adobe, Yahoo, AOL, Zappos, Marriott/Hilton, 7-Eleven, NASDAQ, and others. With corporate computer systems growing exponentially in size and complexity, it only takes a single vulnerability to render them compromised. And with the financial (and often strategic corporate and military) incentives to breach these databases higher than ever, it's a trend that should be expected to continue.